Re: [GNAP] "Access Token" when calling AS is really a cookie
Fabien Imbault <fabien.imbault@gmail.com> Wed, 25 November 2020 20:43 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4727C3A1CBF for <txauth@ietfa.amsl.com>; Wed, 25 Nov 2020 12:43:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mVVxJDEAUDOy for <txauth@ietfa.amsl.com>; Wed, 25 Nov 2020 12:43:37 -0800 (PST)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C46BF3A1CBE for <txauth@ietf.org>; Wed, 25 Nov 2020 12:43:37 -0800 (PST)
Received: by mail-io1-xd2b.google.com with SMTP id m13so3459097ioq.9 for <txauth@ietf.org>; Wed, 25 Nov 2020 12:43:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=P9Sk11h9gvFAH4TJbsq5a6DSCQ7FEKDBAacFuyysC1U=; b=T5LW9cXDByjogf1ZQDr+Pepr8JKbs1fTTCmcpXPDFVCeQcHf3Qlt3iI9NzcLLkq21R LxyAOOsgp4A/WmhwomYUvKOqMVuvdA10ntbN4wZrKiHG28eZCaaLrVfZAMIsX1MRzihw DjQ/py1EysgrJwRnWco03jxGJsQvmWjJ/jNjbtW6NtbRNG+m5rhR8FFCnTKuOcHHFswX AB3eydx9JJrdtgITlxl1oE2bnW/R2M43lkzcMpdyHobwM6FrB5Fs7r51rm1nRgBZLdX/ RppOveUl9KsqsAkuCkn9r7hQ2wb+s2tF+MftAMzoK48Kr4cXYJmVC43BXTyR8lD+M6eG W9VA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=P9Sk11h9gvFAH4TJbsq5a6DSCQ7FEKDBAacFuyysC1U=; b=roETD4axI9e/la+mfNp++H/tvswyk0A3uqAFBWF0O2OAm0ZN4Gcbbvf5RrydLt0L3U EKyNmUf+wsCseHQEc/J/x0/dyQXyosCRkGb1mrbVlmnHinQac8JW35CG+O8tJR+doNFw TmypPf+YuMl04pkwNaPIx61r3G3G5RUOk4SjL0Z/RjqBbI4XNrVRrJmGh01OncnCWDjV r7uH3utiGAyIoiq2UERub6ff/56p2JSNeKZsjMO4ZN2f1xXahfUbG1N6s1GmDI66yGDc TDw0woYIrCr9II0R/vqqILw9jYE+4USXB6uT7aipFdjYXFjuUchhpSUpWhG9DWKbbJSZ FsSQ==
X-Gm-Message-State: AOAM533PQNAEQ+XOjJtXSiy1OsCPJ2Q7SKNVCtt3tOVbdf/jBc+NVd9a 6DdC1yw9xEn51Oa7LF4ZDEQlQYEA6u9k6FgzLxg=
X-Google-Smtp-Source: ABdhPJzXEt+pLjI28MwFYXJ3DgGskTh7lbpVVMkN79oamaopN8A2XEhtse1L1yCH1X+AboYJFD0CtICCUOLDFuDExfI=
X-Received: by 2002:a6b:4401:: with SMTP id r1mr4073807ioa.78.1606337016929; Wed, 25 Nov 2020 12:43:36 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-vKSpV6eC3CUPzwFog5yOb+zeshLJC7+8RgNeF9CNFiww@mail.gmail.com> <CAM8feuSh0q3mf+KapqV7Sxo+k9GSaibAbGwK7J2vPh-EAAprwQ@mail.gmail.com> <CAD9ie-vpURieTiZpeCfLscPCtU1VY_CrtOP3UAxFogku6gL0iw@mail.gmail.com> <CAM8feuRLNwvN9VP2w9L9WYtSTpyUR1Wbe8nT88RKb6jhaMWY6w@mail.gmail.com> <CAD9ie-vnZH-zexJ8yiRyozzbCLJKe1sVVfoeKtgysUG32UhAGQ@mail.gmail.com> <CAM8feuT3DLCOc7nj2zS4XLy4ktZ5TaBJv=W52YnEY8DzWfyvZA@mail.gmail.com> <9D3D60CC-5019-4CC2-BE2D-4EF789FABE31@mit.edu> <CAD9ie-tN82_Mqb1BvdkZsnKT2Tt5L0i0P_V9hWAFknXn=G1nxQ@mail.gmail.com> <CAM8feuSv5=dr-2YhQx5SwxX9fu0DZ3o2zKyMeG4-iS3OXqVLhQ@mail.gmail.com> <CAD9ie-u_Vggw2prSXCR20wqn=cSiEj7QuwczqtzPb8_3hL+=EA@mail.gmail.com>
In-Reply-To: <CAD9ie-u_Vggw2prSXCR20wqn=cSiEj7QuwczqtzPb8_3hL+=EA@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Wed, 25 Nov 2020 21:43:25 +0100
Message-ID: <CAM8feuSRKujM7-Y39ednMoCekNpW2fQqJ06fTfpv_Kb4=wrbJw@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Justin Richer <jricher@mit.edu>, GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000489f6e05b4f47b69"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/VlSvcfiSO41wfkuXG2I7LXSJV2A>
Subject: Re: [GNAP] "Access Token" when calling AS is really a cookie
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2020 20:43:40 -0000
Couldn't say I agree here. Will send more info and explanations when I reopen my laptop tomorrow morning :-) Fabien Le mer. 25 nov. 2020 à 21:37, Dick Hardt <dick.hardt@gmail.com> a écrit : > Would you share a link? I see the discussion on the access token pull > request, but no discussion on unique URLs. > > Do you agree with my assessment of the "access token"? > > ᐧ > > On Wed, Nov 25, 2020 at 12:33 PM Fabien Imbault <fabien.imbault@gmail.com> > wrote: > >> Hi Dick, >> >> There is more context on the rationale, from the comments the editors >> made to the issues yesterday. >> >> Especially the part on unique URLs. >> >> Best >> Fabien >> >> >> Le mer. 25 nov. 2020 à 21:27, Dick Hardt <dick.hardt@gmail.com> a écrit : >> >>> >>> There are numerous issues with the proposal: >>> >>> 1) It is not an "access token". Just because it is sent in the HTTP >>> Authorization header does not make it an access token. The client has >>> already authenticated before the "access token" is presented. The AS >>> already knows what the client is authorized to do at the AS before the >>> "access token" is issued, so it is not needed to represent authorization as >>> an access token is with an RS. The "access token" is serving the purpose >>> that the transaction handle served in the past -- the context of the >>> transaction. Per my earlier comments, this "access token" is more like a >>> cookie. >>> >>> 2) Calling it an "access token" is changing the well known meaning of an >>> access token as used in OAuth. The client authenticates to the AS APIs in >>> OAuth 2.0, it does not present an access token. Access tokens are presented >>> by a client to an RS to prove authorization. >>> >>> 3) What the client has to do with the "access token" is not the same as >>> access tokens for an RS. The client gets a new "access token" for each >>> grant request, and for each API call to the AS, and the client learns it >>> can not make any more API calls for that specific request when it does not >>> get an "access token" back. This is a completely different design pattern >>> than calling an RS API with an access token, and is a new design pattern >>> for calling APIs. This adds complexity to the client that it would not >>> normally have, and I don't think GNAP is the right place to start a new >>> design pattern. >>> >>> 4) Clients that only want claims from the AS and no access tokens will >>> be required to support an API calling mechanism they would not have to >>> support otherwise. >>> >>> 5) If the AS does not provide an "access token", there is no mechanism >>> for a client to delete the request, as the client is not allowed to make a >>> call without an "access token". >>> >>> 6) There is no standard identifier for the request. Debugging and >>> auditing are hampered by the client and AS having no standard way to >>> identifying a request. While one AS may provide a unique URL for each grant >>> request, another AS may use a persistent "access token" to identify the >>> grant request, and other ASs may issue a new "access token" on each API >>> call, providing no persistent identifier for the request. >>> >>> Representing each grant request with an unique URL has the following >>> advantages: >>> >>> 1) It follows the common REST like API model where each resource has a >>> URI which is well understood. >>> >>> 2) There is only one way for a client and AS to identify a grant request. >>> >>> 3) There is a standard, persistent unique identifier for the client and >>> AS to refer to a grant request. >>> >>> >>> FWIW: the statement that it is more "access token" like than a cookie >>> because it is bound to a key is untrue. Binding cookies to keys was the >>> motivation for RFC 8471 - The Token Binding Protocol Version 1.0. Having >>> the "access token" bound to a key provides no value as the AS already knows >>> which client it is through client authentication. The only time that would >>> not be the case is if the "access token" was self contained and the grant >>> request APIs were at an server independent of the AS where the original >>> request was made. >>> >>> >>> >>> >>> ᐧ >>> >>> On Mon, Nov 23, 2020 at 9:55 AM Justin Richer <jricher@mit.edu> wrote: >>> >>>> An important distinction here is that the access tokens in question are >>>> always going to be bound to a key for presentation purposes, so in many >>>> ways they are quite distinct from cookies. >>>> >>>> Since “continuation” in its various forms is now an API, why not treat >>>> it like other APIs the client would call and use access tokens? >>>> >>>> Apart from design choices, what is the negative cost of requiring an >>>> access token? >>>> >>>> We aren’t asking the client to do anything it’s not already doing. Even >>>> if the client is going to use bearer tokens at a downstream RS, the >>>> signature presentation mechanism for the bound access token at the >>>> continuation API is exactly the same as what the client used in the first >>>> place to get the continuation response. >>>> >>>> We aren’t asking the AS to do anything special either since it already >>>> needs to be able to validate the signature inbound, and it needs to be able >>>> to reference an artifact for the ongoing request (stateful or not). >>>> >>>> — Justin >>>> >>>> On Nov 23, 2020, at 12:44 PM, Fabien Imbault <fabien.imbault@gmail.com> >>>> wrote: >>>> >>>> Yes. "Cookies were designed to be a reliable mechanism for websites to >>>> remember stateful <https://en.wikipedia.org/wiki/Program_state> information". >>>> We're not storing anything, it's just a reference. >>>> >>>> On Mon, Nov 23, 2020 at 6:38 PM Dick Hardt <dick.hardt@gmail.com> >>>> wrote: >>>> >>>>> To clarify, I am talking about HTTP cookies, which are effectively >>>>> opaque to the web browser, and used by the web server to store state. >>>>> >>>>> https://en.wikipedia.org/wiki/HTTP_cookie >>>>> >>>>> A client may use local storage for saving state, but that is >>>>> completely different from an HTTP cookie which is issued by the server. >>>>> ᐧ >>>>> >>>>> On Mon, Nov 23, 2020 at 8:30 AM Fabien Imbault < >>>>> fabien.imbault@gmail.com> wrote: >>>>> >>>>>> If the client was directly managing/storing its state, then it would >>>>>> indeed effectively work as a cookie. >>>>>> But here the access token merely provides a map to the current state >>>>>> (opaque to the client), as managed/controlled by the AS. >>>>>> It's a very different use case compared to what cookies are used for >>>>>> in webapps. >>>>>> >>>>>> Having a unique URL is a different design (XAuth was more aligned >>>>>> with that idea). >>>>>> >>>>>> Fabien >>>>>> >>>>>> >>>>>> On Mon, Nov 23, 2020 at 5:09 PM Dick Hardt <dick.hardt@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> If all the access token is doing is expressing "please continue" ... >>>>>>> why do we need an access token? >>>>>>> >>>>>>> Why not just have a unique URL for the grant request? The URL is the >>>>>>> identifier for the grant request that allows the client to delete, update, >>>>>>> etc. >>>>>>> >>>>>>> How the access token is being used is just like a cookie. The AS >>>>>>> gives a string to the client and the client must pass the string back to >>>>>>> the AS when it calls it, the AS may then give a new string to the client >>>>>>> for the next call. Works like a cookie. I don't know why you think there >>>>>>> are legal issues around this. >>>>>>> >>>>>>> /Dick >>>>>>> >>>>>>> >>>>>>> >>>>>>> ᐧ >>>>>>> >>>>>>> On Sun, Nov 22, 2020 at 11:40 PM Fabien Imbault < >>>>>>> fabien.imbault@gmail.com> wrote: >>>>>>> >>>>>>>> Hi Dick, >>>>>>>> >>>>>>>> In GNAP, the client isn't managing state (unlike a web app), the >>>>>>>> entire point is that the lifecycle should be managed by the AS. >>>>>>>> >>>>>>>> As in any state machine, there are states and transitions. Here >>>>>>>> we're not passing state, merely expressing "please continue". The client >>>>>>>> can be completely unaware of the underlying state. >>>>>>>> In effect the client only has the ability to ask the server to >>>>>>>> generate the next transition. >>>>>>>> >>>>>>>> So I don't think you can compare that to cookies. It's a different >>>>>>>> behavior. BTW if it was the case it would lead to a whole new class of >>>>>>>> issues, because there's an entire legal framework around cookies... >>>>>>>> >>>>>>>> To avoid confusion with a standard access token, we have the "key" >>>>>>>> field. My proposal would be to make it more explicitly (cf comment in issue >>>>>>>> 67). >>>>>>>> >>>>>>>> Fabien >>>>>>>> >>>>>>>> >>>>>>>> Le lun. 23 nov. 2020 à 02:06, Dick Hardt <dick.hardt@gmail.com> a >>>>>>>> écrit : >>>>>>>> >>>>>>>>> When I look at how GNAP is using access tokens for continuation >>>>>>>>> requests, and the pull request #129 >>>>>>>>> <https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/129> >>>>>>>>> >>>>>>>>> Those "access tokens" look a lot more like cookies (managing >>>>>>>>> state) than how access tokens are usually used (representing >>>>>>>>> authorization). See table below. >>>>>>>>> >>>>>>>>> If there is a real requirement for passing state back and forth >>>>>>>>> between a server (the AS in this case) and the client when making API >>>>>>>>> calls, then I suggest that is out of scope for GNAP as I see it being a >>>>>>>>> general purpose mechanism for any API. >>>>>>>>> >>>>>>>>> /Dick >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> *cookies*- issued by server being accessed >>>>>>>>> - are not presented to other servers >>>>>>>>> - issued after first access >>>>>>>>> - may be different for different URLs >>>>>>>>> - may be updated on each access >>>>>>>>> - represents the context of a session (state) >>>>>>>>> >>>>>>>>> >>>>>>>>> *access tokens*- issued by an independent service (AS) >>>>>>>>> - may be used at any URL at the RS >>>>>>>>> - new ones issued by AS as needed >>>>>>>>> - represents authorization granted to a client at an RS >>>>>>>>> ᐧ >>>>>>>>> -- >>>>>>>>> TXAuth mailing list >>>>>>>>> TXAuth@ietf.org >>>>>>>>> https://www.ietf.org/mailman/listinfo/txauth >>>>>>>>> >>>>>>>> -- >>>> TXAuth mailing list >>>> TXAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/txauth >>>> >>>> >>>>
- [GNAP] "Access Token" when calling AS is really a… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Justin Richer
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt